Description

In 1.11 KRB5 gained client side support for OTP Preauth (RFC 6560), but up until now there is no server side support in tree. Red Hat has created an out-of-tree solution (AuthHub), based upon a plugin model. But our experimenting with this approach has demonstrated:

Access to vendor SDKs is non-trivial

All vendors provide a RADIUS server for OTP validation

Proposal

The KDC-side support for OTP should read configuration and forward token validation to an appropriate RADIUS server. This plugin will be called otp. In addition to standard RADIUS, the otp plugin will support a non-standard RADIUS over Unix Socket (RoUS; inconceivable!) mode for handling local companion daemons.

All values are optional except secret when a non-RoUS server is specified.

NOTE: We only permit a single server to be defined because we are assuming that redundancy will be handled via DNS round-robin.

Default Token Type

There is a reserved token type name: DEFAULT. If no DEFAULT token type configuration is defined, the following configuration will be used internally:

[otp]
DEFAULT = {
strip_realm = false
}

You can override this default token type configuration by defining your own token type configuration with the name of DEFAULT.

Token Instance Configuration

Some portion of the otp plugin configuration is user specific. This value will be stored as the user string otp with the following JSON formatted array of token objects:

[{
"type": <string>,
"username": <string>
}, ...]

If type is not specified then it refers to the DEFAULT token type as defined above. The username field overrides the default User-Name attribute sent in the RADIUS packet.

All values above are optional. If the user string is an empty string or is an empty list, then a user string of "[{}]" will be assumed.

OTP Enablement

The otp plugin will be enabled for all principals which have the otp user string set, regardless of its value. Conversely, if the otp user string is unset, the otp plugin will be disabled for the principal.

Workflow

In the first pass (no PA-OTP-REQUEST present), the otp plugin will look up the otp user string on the given principal. If the string is set (i.e. non-NULL), a generic PA-OTP-CHALLENGE will be sent to the client (no optional fields will be filled in).

Upon receipt of a PA-OTP-REQUEST, the KDC will look up the RADIUS servers using the otp user string and kdc.conf configuration. All RADIUS servers will be used for validation, in the order they were specified in the otp user string, stopping after the first Access-Accept response is received.